Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiGate / FortiOS 7.0.3 Administration Guide
    7.0.3
    7.6.0
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.16
    7.0.15
    7.0.14
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.15
    6.4.14
    6.4.13
    6.4.12
    6.4.11
    6.4.10
    6.4.9
    6.4.8
    6.4.7
    6.4.6
    6.4.5
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0

    NAT mode

    NAT mode

    In this example, both VDOM-A and VDOM-B use NAT mode. A VDOM link is created that allows users on the internal network to access the FTP server.

    This configuration requires the following steps:

    1. Configure VDOM-A
    2. Configure VDOM-B
    3. Configure the VDOM link

    Configure VDOM-A

    VDOM-A allows connections from devices on the internal network to the Internet. WAN 1 and port 1 are assigned to this VDOM.

    The per-VDOM configuration for VDOM-A includes the following:

    • A firewall address for the internal network
    • A static route to the ISP gateway
    • A security policy allowing the internal network to access the Internet

    All procedures in this section require you to connect to VDOM-A, either using a global or per-VDOM administrator account.

    To add the firewall addresses in the GUI:
    1. Go to Policy & Objects > Addresses and create a new address.
    2. Enter the following information:

      Name

      internal-network

      Type

      Subnet

      Subnet / IP Range

      192.168.10.0/255.255.255.0

      Interface

      port1

    3. Click OK.
    To add the firewall addresses with the CLI:
    config vdom
    edit VDOM-A
        config firewall address
            edit internal-network
                set associated-interface port1
                set subnet 192.168.10.0 255.255.255.0
            next
        end
    next
end
    To add a default route in the GUI:
    1. Go to Network > Static Routes and create a new route.
    2. Enter the following information:

      Destination

      Subnet

      IP address

      0.0.0.0/0.0.0.0

      Gateway

      172.20.201.7

      Interface

      wan1

      Distance

      10

    3. Click OK.
    To add a default route with the CLI:
    config vdom
    edit VDOM-A
        config router static
            edit 0
                set gateway 172.20.201.7
                set device wan1
            next
        end
    next
end
    To add the security policy in the GUI:
    1. Go to Policy & Objects > Firewall Policy and create a new policy.
    2. Enter the following information:

      Name

      VDOM-A-Internet

      Incoming Interface

      port1

      Outgoing Interface

      wan1

      Source

      internal-network

      Destination

      all

      Schedule

      always

      Service

      ALL

      Action

      ACCEPT

      NAT

      enabled

    3. Click OK.
    To add the security policy with the CLI:
    config vdom
    edit VDOM-A
        config firewall policy
            edit 1
                set name "VDOM-A-Internet"
                set srcintf "port1"
                set dstintf "wan1"
                set srcaddr "internal-network"
                set dstaddr "all"
                set action accept
                set schedule "always"
                set service "ALL"
                set nat enable
            next
        end
    next
end

    Configure VDOM-B

    VDOM-B allows external connections to reach an internal FTP server. WAN 2 and port 2 are assigned to this VDOM.

    The per-VDOM configuration for VDOM-B includes the following:

    • A firewall address for the FTP server
    • A virtual IP address for the FTP server
    • A static route to the ISP gateway
    • A security policy allowing external traffic to reach the FTP server

    All procedures in this section require you to connect to VDOM-B, either using a global or per-VDOM administrator account.

    To add the firewall addresses in the GUI:
    1. Go to Policy & Objects > Addresses and create a new address.
    2. Enter the following information:

      Address Name

      FTP-server

      Type

      Subnet

      Subnet / IP Range

      192.168.20.10/32

      Interface

      port2

      Show in Address List

      enabled

    3. Click OK.
    To add the firewall addresses with the CLI:
    config vdom
    edit VDOM-B
        config firewall address
            edit FTP-server
                set associated-interface port2
                set subnet 192.168.20.10 255.255.255.255
            next
        end
    next
end
    To add the virtual IP address in the GUI:
    1. Go to Policy & Objects > Virtual IPs and create a new virtual IP address.
    2. Enter the following information:

      Name

      FTP-server-VIP

      Interface

      wan2

      External IP Address/Range

      172.25.177.42

      Internal IP Address/Range

      192.168.20.10

    3. Click OK.
    To add the virtual IP address with the CLI:
    config vdom
    edit VDOM-B
        config firewall vip 
            edit FTP-server-VIP
                set extip 172.25.177.42
                set extintf wan2
                set mappedip 192.168.20.10
            next
        end 
    next
end
    To add a default route in the GUI:
    1. Go to Network > Static Routes and create a new route.
    2. Enter the following information:

      Destination

      Subnet

      IP address

      0.0.0.0/0.0.0.0

      Gateway

      172.20.10.10

      Interface

      wan2

      Distance

      10

    3. Click OK.
    To add a default route with the CLI:
    config vdom
    edit VDOM-B
        config router static
            edit 0
                set gateway 172.20.10.10
                set device wan2
            next
        end
    next
end
    To add the security policy in the GUI:
    1. Go to Policy & Objects > Firewall Policy and create a new policy.
    2. Enter the following information:

      Name

      Access-server

      Incoming Interface

      wan2

      Outgoing Interface

      port2

      Source

      all

      Destination

      FTP-server-VIP

      Schedule

      always

      Service

      FTP

      Action

      ACCEPT

      NAT

      enabled

    3. Click OK.
    To add the security policy with the CLI:
    config vdom
    edit VDOM-B
        config firewall policy
            edit 1
                set name "Access-server"
                set srcintf "wan2"
                set dstintf "port2"
                set srcaddr "all"
                set dstaddr "FTP-server-VIP"
                set action accept
                set schedule "always"
                set service "FTP"
                set nat enable
            next
        end
    next
end

    Configure the VDOM link

    The VDOM link allows connections from VDOM-A to VDOM-B. This allows users on the internal network to access the FTP server through the FortiGate.

    The configuration for the VDOM link includes the following:

    • The VDOM link interface
    • Firewall addresses for the FTP server on VDOM-A and for the internal network on VDOM-B
    • Static routes for the FTP server on VDOM-A and for the internal network on VDOM-B
    • Policies allowing traffic using the VDOM link

    All procedures in this section require you to connect to the global VDOM using a global administrator account.

    To add the VDOM link in the GUI:
    1. In the Global VDOM, go to Network > Interfaces and select Create New > VDOM link.
    2. Enter the following information:

      Name

      VDOM-link

      Interface 0

      Virtual Domain

      VDOM-A

      IP/Netmask

      0.0.0.0/0.0.0.0

      Interface 1

      Virtual Domain

      VDOM-B

      IP/Netmask

      0.0.0.0/0.0.0.0

    3. Click OK.
    To add the VDOM link with the CLI:
    config global
    config system vdom-link
        edit "VDOM-link"
        next
    end
end
    To add the firewall address on VDOM-A in the GUI:
    1. In the VDOM-A VDOM, go to Policy & Objects > Addresses and create a new address.
    2. Enter the following information:

      Address Name

      FTP-server

      Type

      Subnet

      Subnet / IP Range

      192.168.20.10/32

      Interface

      VDOM-link0

      Show in Address List

      enabled

      Static Route Configuration

      enabled

    To add the firewall addresses on VDOM-A with the CLI:
    config vdom
    edit VDOM-A
        config firewall address
            edit "FTP-server"
                set associated-interface "VDOM-link0"
                set allow-routing enable
                set subnet 192.168.20.10 255.255.255.255
            next
        end
    next
end
    To add the static route on VDOM-A in the GUI:
    1. Connect to VDOM-A.
    2. Go to Network > Static Routes and create a new route.
    3. Enter the following information:

      Destination

      Named Address

      Named Address

      FTP-server

      Gateway

      0.0.0.0

      Interface

      VDOM-link0

    To add the static route on VDOM-A with the CLI:
    config vdom
    edit VDOM-A
        config router static 
            edit 0
                set device VDOM-link0
                set dstaddr FTP-server 
            next
        end
    next
end
    To add the security policy on VDOM-A in the GUI:
    1. In the VDOM-A VDOM, go to Policy & Objects > Firewall Policy and create a new policy.
    2. Enter the following information:

      Name

      Access-FTP-server

      Incoming Interface

      port1

      Outgoing Interface

      VDOM-link0

      Source

      internal-network

      Destination

      FTP-server

      Schedule

      always

      Service

      FTP

      Action

      ACCEPT

      NAT

      disabled

    3. Click OK.
    To add the security policy on VDOM-A with the CLI:
    config vdom
    edit VDOM-A
        config firewall policy 
            edit 0
                set name Access-FTP-server
                set srcintf port1
                set dstintf VDOM-link0
                set srcaddr internal-network
                set dstaddr FTP-server
                set action accept
                set schedule always
                set service FTP
            next
        end
    next
end
    To add the firewall address on VDOM-B in the GUI:
    1. In the VDOM-B VDOM, go to Policy & Objects > Addresses and create a new address.
    2. Enter the following information:

      Address Name

      internal-network

      Type

      Subnet

      Subnet / IP Range

      192.168.10.0/24

      Interface

      VDOM-link1

      Show in Address List

      enabled

      Static Route Configuration

      enabled

    3. Click OK.
    To add the firewall addresses on VDOM-B with the CLI:
    config vdom
    edit VDOM-B
        config firewall address
            edit internal-network
                set associated-interface VDOM-link1
                set allow-routing enable
                set subnet 192.168.10.0 255.255.255.0
            next
        end
    next
end
    To add the static route on VDOM-B in the GUI:
    1. In the VDOM-B VDOM, go to Network > Static Routes and create a new route.
    2. Enter the following information:

      Destination

      Named Address

      Named Address

      internal-network

      Gateway

      0.0.0.0

      Interface

      VDOM-link1

    3. Click OK.
    To add the static route on VDOM-B with the CLI:
    config vdom
    edit VDOM-B
        config router static 
            edit 0
                set device VDOM-link1
                set dstaddr internal-network 
            next
        end
    next
end
    To add the security policy on VDOM-B in the GUI:
    1. In the VDOM-B VDOM, go to Policy & Objects > Firewall Policy and create a new policy.
    2. Enter the following information:

      Name

      Internal-server-access

      Incoming Interface

      VDOM-link1

      Outgoing Interface

      port2

      Source

      internal-network

      Destination

      FTP-server

      Schedule

      always

      Service

      FTP

      Action

      ACCEPT

      NAT

      disabled

    3. Click OK.
    To add the security policy on VDOM-B with the CLI:
    config vdom
    edit VDOM-B
        config firewall policy 
            edit 0
                set name Internal-server-access
                set srcintf VDOM-link1
                set dstintf port2
                set srcaddr internal-network
                set dstaddr FTP-server
                set action accept
                set schedule always
                set service FTP
            next
        end
    next
end
    Previous
    Next

    NAT mode

    NAT mode

    In this example, both VDOM-A and VDOM-B use NAT mode. A VDOM link is created that allows users on the internal network to access the FTP server.

    This configuration requires the following steps:

    1. Configure VDOM-A
    2. Configure VDOM-B
    3. Configure the VDOM link

    Configure VDOM-A

    VDOM-A allows connections from devices on the internal network to the Internet. WAN 1 and port 1 are assigned to this VDOM.

    The per-VDOM configuration for VDOM-A includes the following:

    • A firewall address for the internal network
    • A static route to the ISP gateway
    • A security policy allowing the internal network to access the Internet

    All procedures in this section require you to connect to VDOM-A, either using a global or per-VDOM administrator account.

    To add the firewall addresses in the GUI:
    1. Go to Policy & Objects > Addresses and create a new address.
    2. Enter the following information:

      Name

      internal-network

      Type

      Subnet

      Subnet / IP Range

      192.168.10.0/255.255.255.0

      Interface

      port1

    3. Click OK.
    To add the firewall addresses with the CLI:
    config vdom
    edit VDOM-A
        config firewall address
            edit internal-network
                set associated-interface port1
                set subnet 192.168.10.0 255.255.255.0
            next
        end
    next
end
    To add a default route in the GUI:
    1. Go to Network > Static Routes and create a new route.
    2. Enter the following information:

      Destination

      Subnet

      IP address

      0.0.0.0/0.0.0.0

      Gateway

      172.20.201.7

      Interface

      wan1

      Distance

      10

    3. Click OK.
    To add a default route with the CLI:
    config vdom
    edit VDOM-A
        config router static
            edit 0
                set gateway 172.20.201.7
                set device wan1
            next
        end
    next
end
    To add the security policy in the GUI:
    1. Go to Policy & Objects > Firewall Policy and create a new policy.
    2. Enter the following information:

      Name

      VDOM-A-Internet

      Incoming Interface

      port1

      Outgoing Interface

      wan1

      Source

      internal-network

      Destination

      all

      Schedule

      always

      Service

      ALL

      Action

      ACCEPT

      NAT

      enabled

    3. Click OK.
    To add the security policy with the CLI:
    config vdom
    edit VDOM-A
        config firewall policy
            edit 1
                set name "VDOM-A-Internet"
                set srcintf "port1"
                set dstintf "wan1"
                set srcaddr "internal-network"
                set dstaddr "all"
                set action accept
                set schedule "always"
                set service "ALL"
                set nat enable
            next
        end
    next
end

    Configure VDOM-B

    VDOM-B allows external connections to reach an internal FTP server. WAN 2 and port 2 are assigned to this VDOM.

    The per-VDOM configuration for VDOM-B includes the following:

    • A firewall address for the FTP server
    • A virtual IP address for the FTP server
    • A static route to the ISP gateway
    • A security policy allowing external traffic to reach the FTP server

    All procedures in this section require you to connect to VDOM-B, either using a global or per-VDOM administrator account.

    To add the firewall addresses in the GUI:
    1. Go to Policy & Objects > Addresses and create a new address.
    2. Enter the following information:

      Address Name

      FTP-server

      Type

      Subnet

      Subnet / IP Range

      192.168.20.10/32

      Interface

      port2

      Show in Address List

      enabled

    3. Click OK.
    To add the firewall addresses with the CLI:
    config vdom
    edit VDOM-B
        config firewall address
            edit FTP-server
                set associated-interface port2
                set subnet 192.168.20.10 255.255.255.255
            next
        end
    next
end
    To add the virtual IP address in the GUI:
    1. Go to Policy & Objects > Virtual IPs and create a new virtual IP address.
    2. Enter the following information:

      Name

      FTP-server-VIP

      Interface

      wan2

      External IP Address/Range

      172.25.177.42

      Internal IP Address/Range

      192.168.20.10

    3. Click OK.
    To add the virtual IP address with the CLI:
    config vdom
    edit VDOM-B
        config firewall vip 
            edit FTP-server-VIP
                set extip 172.25.177.42
                set extintf wan2
                set mappedip 192.168.20.10
            next
        end 
    next
end
    To add a default route in the GUI:
    1. Go to Network > Static Routes and create a new route.
    2. Enter the following information:

      Destination

      Subnet

      IP address

      0.0.0.0/0.0.0.0

      Gateway

      172.20.10.10

      Interface

      wan2

      Distance

      10

    3. Click OK.
    To add a default route with the CLI:
    config vdom
    edit VDOM-B
        config router static
            edit 0
                set gateway 172.20.10.10
                set device wan2
            next
        end
    next
end
    To add the security policy in the GUI:
    1. Go to Policy & Objects > Firewall Policy and create a new policy.
    2. Enter the following information:

      Name

      Access-server

      Incoming Interface

      wan2

      Outgoing Interface

      port2

      Source

      all

      Destination

      FTP-server-VIP

      Schedule

      always

      Service

      FTP

      Action

      ACCEPT

      NAT

      enabled

    3. Click OK.
    To add the security policy with the CLI:
    config vdom
    edit VDOM-B
        config firewall policy
            edit 1
                set name "Access-server"
                set srcintf "wan2"
                set dstintf "port2"
                set srcaddr "all"
                set dstaddr "FTP-server-VIP"
                set action accept
                set schedule "always"
                set service "FTP"
                set nat enable
            next
        end
    next
end

    Configure the VDOM link

    The VDOM link allows connections from VDOM-A to VDOM-B. This allows users on the internal network to access the FTP server through the FortiGate.

    The configuration for the VDOM link includes the following:

    • The VDOM link interface
    • Firewall addresses for the FTP server on VDOM-A and for the internal network on VDOM-B
    • Static routes for the FTP server on VDOM-A and for the internal network on VDOM-B
    • Policies allowing traffic using the VDOM link

    All procedures in this section require you to connect to the global VDOM using a global administrator account.

    To add the VDOM link in the GUI:
    1. In the Global VDOM, go to Network > Interfaces and select Create New > VDOM link.
    2. Enter the following information:

      Name

      VDOM-link

      Interface 0

      Virtual Domain

      VDOM-A

      IP/Netmask

      0.0.0.0/0.0.0.0

      Interface 1

      Virtual Domain

      VDOM-B

      IP/Netmask

      0.0.0.0/0.0.0.0

    3. Click OK.
    To add the VDOM link with the CLI:
    config global
    config system vdom-link
        edit "VDOM-link"
        next
    end
end
    To add the firewall address on VDOM-A in the GUI:
    1. In the VDOM-A VDOM, go to Policy & Objects > Addresses and create a new address.
    2. Enter the following information:

      Address Name

      FTP-server

      Type

      Subnet

      Subnet / IP Range

      192.168.20.10/32

      Interface

      VDOM-link0

      Show in Address List

      enabled

      Static Route Configuration

      enabled

    To add the firewall addresses on VDOM-A with the CLI:
    config vdom
    edit VDOM-A
        config firewall address
            edit "FTP-server"
                set associated-interface "VDOM-link0"
                set allow-routing enable
                set subnet 192.168.20.10 255.255.255.255
            next
        end
    next
end
    To add the static route on VDOM-A in the GUI:
    1. Connect to VDOM-A.
    2. Go to Network > Static Routes and create a new route.
    3. Enter the following information:

      Destination

      Named Address

      Named Address

      FTP-server

      Gateway

      0.0.0.0

      Interface

      VDOM-link0

    To add the static route on VDOM-A with the CLI:
    config vdom
    edit VDOM-A
        config router static 
            edit 0
                set device VDOM-link0
                set dstaddr FTP-server 
            next
        end
    next
end
    To add the security policy on VDOM-A in the GUI:
    1. In the VDOM-A VDOM, go to Policy & Objects > Firewall Policy and create a new policy.
    2. Enter the following information:

      Name

      Access-FTP-server

      Incoming Interface

      port1

      Outgoing Interface

      VDOM-link0

      Source

      internal-network

      Destination

      FTP-server

      Schedule

      always

      Service

      FTP

      Action

      ACCEPT

      NAT

      disabled

    3. Click OK.
    To add the security policy on VDOM-A with the CLI:
    config vdom
    edit VDOM-A
        config firewall policy 
            edit 0
                set name Access-FTP-server
                set srcintf port1
                set dstintf VDOM-link0
                set srcaddr internal-network
                set dstaddr FTP-server
                set action accept
                set schedule always
                set service FTP
            next
        end
    next
end
    To add the firewall address on VDOM-B in the GUI:
    1. In the VDOM-B VDOM, go to Policy & Objects > Addresses and create a new address.
    2. Enter the following information:

      Address Name

      internal-network

      Type

      Subnet

      Subnet / IP Range

      192.168.10.0/24

      Interface

      VDOM-link1

      Show in Address List

      enabled

      Static Route Configuration

      enabled

    3. Click OK.
    To add the firewall addresses on VDOM-B with the CLI:
    config vdom
    edit VDOM-B
        config firewall address
            edit internal-network
                set associated-interface VDOM-link1
                set allow-routing enable
                set subnet 192.168.10.0 255.255.255.0
            next
        end
    next
end
    To add the static route on VDOM-B in the GUI:
    1. In the VDOM-B VDOM, go to Network > Static Routes and create a new route.
    2. Enter the following information:

      Destination

      Named Address

      Named Address

      internal-network

      Gateway

      0.0.0.0

      Interface

      VDOM-link1

    3. Click OK.
    To add the static route on VDOM-B with the CLI:
    config vdom
    edit VDOM-B
        config router static 
            edit 0
                set device VDOM-link1
                set dstaddr internal-network 
            next
        end
    next
end
    To add the security policy on VDOM-B in the GUI:
    1. In the VDOM-B VDOM, go to Policy & Objects > Firewall Policy and create a new policy.
    2. Enter the following information:

      Name

      Internal-server-access

      Incoming Interface

      VDOM-link1

      Outgoing Interface

      port2

      Source

      internal-network

      Destination

      FTP-server

      Schedule

      always

      Service

      FTP

      Action

      ACCEPT

      NAT

      disabled

    3. Click OK.
    To add the security policy on VDOM-B with the CLI:
    config vdom
    edit VDOM-B
        config firewall policy 
            edit 0
                set name Internal-server-access
                set srcintf VDOM-link1
                set dstintf port2
                set srcaddr internal-network
                set dstaddr FTP-server
                set action accept
                set schedule always
                set service FTP
            next
        end
    next
end
    Previous
    Next